Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Updated xen packages fix multiple vulnerabilities
Informations
Name MDKSA-2007:203 First vendor Publication 2007-11-01
Vendor Mandriva Last vendor Modification 2007-11-01
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Tavis Ormandy discovered a heap overflow flaw during video-to-video copy operations in the Cirrus VGA extension code that is used in Xen. A malicious local administrator of a guest domain could potentially trigger this flaw and execute arbitrary code outside of the domain (CVE-2007-1320).

Tavis Ormandy also discovered insufficient input validation leading to a heap overflow in the NE2000 network driver in Xen. If the driver is in use, a malicious local administrator of a guest domain could potentially trigger this flaw and execute arbitrary code outside of the domain (CVE-2007-1321, CVE-2007-5729, CVE-2007-5730).

Steve Kemp found that xen-utils used insecure temporary files within the xenmon tool that could allow local users to truncate arbitrary files (CVE-2007-3919).

Joris van Rantwijk discovered a flaw in Pygrub, which is used as a boot loader for guest domains. A malicious local administrator of a guest domain could create a carefully-crafted grub.conf file which could trigger the execution of arbitrary code outside of that domain (CVE-2007-4993).

Updated packages have been patched to prevent these issues.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDKSA-2007:203

CWE : Common Weakness Enumeration

% Id Name
40 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)
20 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
20 % CWE-59 Improper Link Resolution Before File Access ('Link Following')
20 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10000
 
Oval ID: oval:org.mitre.oval:def:10000
Title: Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability.
Description: Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability.
Family: unix Class: vulnerability
Reference(s): CVE-2007-5730
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10315
 
Oval ID: oval:org.mitre.oval:def:10315
Title: Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.
Description: Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow.
Family: unix Class: vulnerability
Reference(s): CVE-2007-1320
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11240
 
Oval ID: oval:org.mitre.oval:def:11240
Title: pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements.
Description: pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements.
Family: unix Class: vulnerability
Reference(s): CVE-2007-4993
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:17613
 
Oval ID: oval:org.mitre.oval:def:17613
Title: USN-527-1 -- xen-3.0 vulnerability
Description: Joris van Rantwijk discovered that the Xen host did not correctly validate the contents of a Xen guests's grug.conf file.
Family: unix Class: patch
Reference(s): USN-527-1
CVE-2007-4993
Version: 7
Platform(s): Ubuntu 7.04
Product(s): xen-3.0
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18680
 
Oval ID: oval:org.mitre.oval:def:18680
Title: DSA-1395-1 xen-3.0 - insecure temporary files
Description: Steve Kemp from the Debian Security Audit project discovered that xen-utils, a collection of XEN administrative tools, used temporary files insecurely within the xenmon tool allowing local users to truncate arbitrary files.
Family: unix Class: patch
Reference(s): DSA-1395-1
CVE-2007-3919
Version: 7
Platform(s): Debian GNU/Linux 4.0
Product(s): xen-3.0
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20455
 
Oval ID: oval:org.mitre.oval:def:20455
Title: DSA-1384-1 xen-3.0
Description: Several local vulnerabilities have been discovered in the Xen hypervisor packages which may lead to the execution of arbitrary code.
Family: unix Class: patch
Reference(s): DSA-1384-1
CVE-2007-4993
CVE-2007-1320
Version: 5
Platform(s): Debian GNU/Linux 4.0
Product(s): xen-3.0
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22666
 
Oval ID: oval:org.mitre.oval:def:22666
Title: ELSA-2007:0323: xen security update (Important)
Description: pygrub (tools/pygrub/src/GrubConf.py) in Xen 3.0.3, when booting a guest domain, allows local users with elevated privileges in the guest domain to execute arbitrary commands in domain 0 via a crafted grub.conf file whose contents are used in exec statements.
Family: unix Class: patch
Reference(s): ELSA-2007:0323-01
CVE-2007-1320
CVE-2007-1321
CVE-2007-4993
Version: 17
Platform(s): Oracle Linux 5
Product(s): xen
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9302
 
Oval ID: oval:org.mitre.oval:def:9302
Title: Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730.
Description: Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730.
Family: unix Class: vulnerability
Reference(s): CVE-2007-1321
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9913
 
Oval ID: oval:org.mitre.oval:def:9913
Title: (1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm.
Description: (1) xenbaked and (2) xenmon.py in Xen 3.1 and earlier allow local users to truncate arbitrary files via a symlink attack on /tmp/xenq-shm.
Family: unix Class: vulnerability
Reference(s): CVE-2007-3919
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 3
Os 2
Os 2

OpenVAS Exploits

Date Description
2009-04-09 Name : Mandriva Update for qemu MDVSA-2008:162 (qemu)
File : nvt/gb_mandriva_MDVSA_2008_162.nasl
2009-04-09 Name : Mandriva Update for xen MDKSA-2007:203 (xen)
File : nvt/gb_mandriva_MDKSA_2007_203.nasl
2009-03-23 Name : Ubuntu Update for xen-3.0 vulnerability USN-527-1
File : nvt/gb_ubuntu_USN_527_1.nasl
2009-03-06 Name : RedHat Update for xen RHSA-2008:0194-01
File : nvt/gb_RHSA-2008_0194-01_xen.nasl
2009-02-27 Name : Fedora Update for xen FEDORA-2007-2270
File : nvt/gb_fedora_2007_2270_xen_fc7.nasl
2009-02-27 Name : Fedora Update for xen FEDORA-2007-2708
File : nvt/gb_fedora_2007_2708_xen_fc7.nasl
2009-02-27 Name : Fedora Update for xen FEDORA-2007-713
File : nvt/gb_fedora_2007_713_xen_fc6.nasl
2009-02-27 Name : Fedora Update for xen FEDORA-2007-737
File : nvt/gb_fedora_2007_737_xen_fc6.nasl
2009-02-17 Name : Fedora Update for kvm FEDORA-2008-4386
File : nvt/gb_fedora_2008_4386_kvm_fc9.nasl
2009-02-17 Name : Fedora Update for kvm FEDORA-2008-4604
File : nvt/gb_fedora_2008_4604_kvm_fc8.nasl
2009-02-17 Name : Fedora Update for kvm FEDORA-2008-9556
File : nvt/gb_fedora_2008_9556_kvm_fc8.nasl
2009-02-16 Name : Fedora Update for kvm FEDORA-2008-10000
File : nvt/gb_fedora_2008_10000_kvm_fc10.nasl
2009-02-16 Name : Fedora Update for xen FEDORA-2008-2083
File : nvt/gb_fedora_2008_2083_xen_fc7.nasl
2009-02-13 Name : Fedora Update for kvm FEDORA-2008-11705
File : nvt/gb_fedora_2008_11705_kvm_fc9.nasl
2009-01-20 Name : SuSE Security Summary SUSE-SR:2009:002
File : nvt/suse_sr_2009_002.nasl
2008-09-04 Name : FreeBSD Ports: qemu, qemu-devel
File : nvt/freebsd_qemu.nasl
2008-01-17 Name : Debian Security Advisory DSA 1395-1 (xen-utils)
File : nvt/deb_1395_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1384-1 (xen-utils)
File : nvt/deb_1384_1.nasl
2008-01-17 Name : Debian Security Advisory DSA 1284-1 (qemu)
File : nvt/deb_1284_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
42986 QEMU NE2000 Emulator slirp Library Local Overflow

42985 QEMU net socket listen Option Local Overflow

41343 Xen xenmon.py /tmp/xenq-shm Symlink Arbitrary File Truncation

41342 Xen xenbaked /tmp/xenq-shm Symlink Arbitrary File Truncation

41340 Xen pygrub (tools/pygrub/src/GrubConf.py) Cross-Domain Arbitrary Command Exec...

35495 QEMU NE2000 Network Driver Ethernet Frame Handling Overflow

35494 QEMU Cirrus VGA Extension cirrus_invalidate_region Function Multiple Overflows

Nessus® Vulnerability Scanner

Date Description
2016-02-17 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL63519101.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2008-2003.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2008-0194.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2007-0323.nasl - Type : ACT_GATHER_INFO
2012-09-24 Name : The remote Fedora host is missing a security update.
File : fedora_2008-10083.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20080513_xen_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20071004_xen_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2008-0194.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2007-0323.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_kvm-090112.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_kvm-090112.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2008-162.nasl - Type : ACT_GATHER_INFO
2008-12-26 Name : The remote Fedora host is missing a security update.
File : fedora_2008-11705.nasl - Type : ACT_GATHER_INFO
2008-11-12 Name : The remote Fedora host is missing a security update.
File : fedora_2008-9556.nasl - Type : ACT_GATHER_INFO
2008-11-03 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_07bb3bd2a92011dd85030211060005df.nasl - Type : ACT_GATHER_INFO
2008-05-29 Name : The remote Fedora host is missing a security update.
File : fedora_2008-4386.nasl - Type : ACT_GATHER_INFO
2008-05-29 Name : The remote Fedora host is missing a security update.
File : fedora_2008-4604.nasl - Type : ACT_GATHER_INFO
2008-05-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0194.nasl - Type : ACT_GATHER_INFO
2008-02-29 Name : The remote Fedora host is missing a security update.
File : fedora_2008-2083.nasl - Type : ACT_GATHER_INFO
2007-11-14 Name : The remote openSUSE host is missing a security update.
File : suse_xen-4616.nasl - Type : ACT_GATHER_INFO
2007-11-10 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-527-1.nasl - Type : ACT_GATHER_INFO
2007-11-06 Name : The remote Fedora host is missing a security update.
File : fedora_2007-2708.nasl - Type : ACT_GATHER_INFO
2007-11-06 Name : The remote Fedora host is missing a security update.
File : fedora_2007-2270.nasl - Type : ACT_GATHER_INFO
2007-11-06 Name : The remote Fedora Core host is missing a security update.
File : fedora_2007-737.nasl - Type : ACT_GATHER_INFO
2007-11-02 Name : The remote Mandrake Linux host is missing a security update.
File : mandrake_MDKSA-2007-203.nasl - Type : ACT_GATHER_INFO
2007-10-26 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1395.nasl - Type : ACT_GATHER_INFO
2007-10-09 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1384.nasl - Type : ACT_GATHER_INFO
2007-10-09 Name : The remote Fedora Core host is missing a security update.
File : fedora_2007-713.nasl - Type : ACT_GATHER_INFO
2007-10-03 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0323.nasl - Type : ACT_GATHER_INFO
2007-05-03 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1284.nasl - Type : ACT_GATHER_INFO
2007-05-02 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_0ac89b39f82911dbb55c000e0c6d38a9.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:38:57
  • Multiple Updates